On 06/01/2016 15:56, Shital Sakhare wrote:
Yes, now I am dropping packets in OUTPUT chain for type 3. Initially, I
implemented the chain to drop type 0 and 8. But it wont worked and the
packets were hitting at firewall for multiple ICMP requests. I didn't
Understand the problem. After posting here I go through all the types of
ICMP types where I understand to drop packets for "Host unreachability" .
Thanks for your help Mr. Gordon 🙏.
On Wed, Jan 6, 2016 at 8:47 PM, Gordon Messmer <gordon.messmer@xxxxxxxxx>
wrote:
On 01/06/2016 05:47 AM, Shital Sakhare wrote:
Thanks, Dropped the ICMP type 3 port. Now question to find the cause.
Well, based on your tcpdump output, it looks like your rules were
rejecting unrelated packets, or tcp/443 packets. It's hard to be sure
since the ICMP was the first packet, so you didn't show the packet it was
actually replying to.
The ICMP traffic is a result of rejecting rather than dropping that
traffic. That is, I think you're looking at the problem wrong. The ICMP
traffic is simply the result of a choice you made. Are you dropping type 3
in the output chain?
I assume you also have rules in the INPUT chain, and one of them reads
something like this:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
When traffic matches this rule your server will respond with an ICMP
request. it sounds like you now have added a rule blocking your server
from sending these responses. You should investigate what is matching
the INPUT rule as it could be malicious activity that should be blocked
further upstream from you (e.g. at the perimeter firewall)
and if you wish to stop your server sending these responses you should
change the rule to DROP instead of REJECT.
Tris
*************************************************************
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity
to whom they are addressed. If you have received this email
in error please notify postmaster@xxxxxxxx
The views expressed within this email are those of the
individual, and not necessarily those of the organisation
*************************************************************
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos